beautypg.com

Creating a certificate revocation list (crl) – Brocade Virtual ADX Security Guide (Supporting ADX v03.1.00) User Manual

Page 141

background image

Brocade Virtual ADX Security Guide

129

53-1003250-01

Advanced SSL profile configuration

6

Virtual ADX(config)#ssl profile profile1

Virtual ADX(config-ssl-profile-profile1)#ca-cert-file certfile1

Syntax: ca-cert-file ca-certificate-filename

The ca-certificate-filename variable specifies the name of the certificate file where a CA certificate
is stored.

Creating a certificate revocation list (CRL)

Certificate revocation lists contain the list of certificates that have been revoked by a CA. A
certificate can be revoked by a CA for many reasons. A common reason is that the key pair that
corresponds to the issued certificate has been compromised.

A client’s SSL certificate may be revoked at any time due to several reasons such as:

Certificate Authority (CA) had improperly issued the certificate

Public key has been compromised

Each CA publishes its certificate revocation list (CRL) periodically. The CRL list contains serial
numbers of the revoked certificates. The servers using SSL authentication download this CRL list to
prevent unwanted connections from illegitimate clients.

The Brocade Virtual ADX allows administrator configure up to 10 URLs for receiving CRL lists. The
Brocade Virtual ADX will periodically fetch this list. As discussed earlier, the CRL approach is
somewhat limited:

CRL must be updated frequently to keep the list current

CRL database is huge - often 200KB to 20MB in size, and thus consumes lot of on-box
memory

CRL does not provide any mechanism to verify client certificate in real time.

Certificate revocation lists are typically maintained on the CA Web site and may be downloaded
using HTTP. The format of the list is usually DER or PEM.

The Brocade Virtual ADX supports configuration of up to ten CRL records. For each CRL record, the
size is up to 255K.

Syntax: ssl crl-record local-name url der | pem refresh-interval-in-hours

The local-name variable specifies a name for the CRL entry. The value of this entry is an ASCII
string.

The url variable specifies the location where the CRL is located. This value can be either an IP
address or a domain name.

The pem parameter directs the CRL to be downloaded in the PEM format.

The der parameter directs the CRL to be downloaded in the DER format.

The refresh-interval-in-hours variable specifies the number of hours to wait before updating the
CRL.

NOTE

Limiting the maximum number of connections from all client IPs is supported only through the
max-conn default num command. The max-conn 0.0.0.0/0 num command is no longer supported.

See also other documents in the category Brocade Computer Accessories: